Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

HR auth to restrict pay/time for family members or friends

Former Member

‎05-07-2013 7:11 PM

0 Kudos

I understand that authorizations and controls are at the infotype/subtype level and via structural authorization however I have been asked to find out if it is possible add additional authorizations to prevent payroll users or time entry personnel from entering pay or time in a fraudulent way for relatives, spouses, kids, friends etc. For example a payroll clerk may incorrectly generate a lump some payment to a spouse, or a timekeeper may inflate hours worked for a child. Any suggestions for controls or audit tips and tricks would be appreciated.

4 REPLIES 4

Former Member

‎05-07-2013 7:29 PM

0 Kudos

All you need to do is maintain IT 0105 to get to the authentication and smtp address data, then call web services from Facebook, LinkedIn & Co. to get the relations and configure customizing for tolerance threashholds of "likes", geographical locations, credit card payment data, points gaming, etc. There is no other way the find friends or distant relatives who are business partners, fictitious employees, etc.

This is called SOA in the IT jargon and is quite trendy amongst people "who have been asked to ask someone else who has an uncle who...".

Good luck and keep us posted!

Cheers,

Julius

Former Member

‎05-08-2013 8:53 AM

0 Kudos

I think what Julius is trying to say, and please correct me if I'm wrong, is that there's no way to administer who's friends with which payroll and/or time admin unless you want to try and integrate i.e. facebook data. 

there certainly are possibilities when it comes to HR authorizations to control which PY or TM admin can access which part of the organization in addition to the usual suspects such as personnel area, employee (sub)group etc. from the P_ORGIN object.

you could have a look at the possibilities of using the organizational key (VDSK1) or the fields that are used in object P_ORGXX.

all of the above do still however require you to manually investigate and administer for which part (the part without relatives or friends) of the organization the PY/TM admin is responsible.

good luck!

Former Member

‎05-08-2013 1:56 PM

0 Kudos

My thought is to use a custom p_pernr and populate IT0105 with a custom subtype which would store the employee id's of the family members. My thinking is that this would restrict the pay/time clerk from updating their master data - is this possible?

Former Member
In response to Former Member

‎05-08-2013 3:00 PM

0 Kudos

that seems to me to be a lot of work for something that can also be ensured by having proper controls in place.

are you employing infotype locking or some other form of approval mechanism?  this ensures that a PY admin cannot give out free raises unless another user verifies the change that has been made.

I think you'll be better off by handling these potentially malicious payroll clerks in a procedural way instead. 

a report can be made that displays all financial transactions that have been done in the past month for example.  these can be checked and approved before every payroll run for example.

there are also a few commercial products that are made specifically for this purpose.

imagine the time required to gather data of who's related to whom and who is friends with which payroll clerk and when that's done, it needs to be administered in SAP as well.